Lynn Perry was living an online shopping nightmare.
A hacker had snatched her home address and phone and credit card numbers--even the three-digit security code printed on the back of her credit card--and was offering them to anyone willing to pay the asking price: $5.
Perry, a copyright attorney from Mill Valley, Calif., was among 10 people whose personal data was posted last month on a Web site that specializes in the trafficking of stolen information. Even worse, no one bothered to tell her that her credit card information had been compromised.
It's likely that no one was required to do so. Much to the chagrin of consumer advocates, the disclosure laws passed by 23 states during the past three years have had little impact when it comes to ensuring consumers are notified about data theft or loss.
Most existing laws allow merchants plenty of wiggle room when deciding whether to tell customers about such breaches, legal and security analysts said. The majority of state laws, for example, allow a company to stay mum about a robbery, if disclosing it would interfere with a police investigation.
That's a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of CardCops.com, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case "under investigation," he said.
"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise," Clements said. "Most want to sweep the hack under the rug. Their motivation is clear; they don't want to lose their customers' trust."
Behind the break-ins
The issue of disclosure has taken on greater urgency in the wake of what analyst Avivah Litan of research firm Gartner has called the "most significant data theft ever."
A national retailer suffered a data breach late last year and thieves managed to steal debit card information, including personal identification numbers (PINs), from thousands of consumers across the country. After reports of fraud began to pile up, dozens of banks and credit unions across the country began replacing more than 200,000 debit cards.
Perry lost her personal information in a far smaller incident. She and six other people interviewed by CNET News.com whose details were being sold on the same Web site had one thing in common: They shopped at online electronics store JDM Infrastructure. But none of the victims knew their information had been stolen because JDM Infrastructure had never notified them, they said.
"Only about 10 percent of the merchants do the right thing and notify
customers when there is a compromise."
--Dan Clements, CEO, CardCops.com
While John Marks, chief executive of JDM Infrastructure, acknowledged that the company knew about a computer break-in, he said no customer data was lost. The online electronics reseller doesn't store such information, he said. But regardless of who lost it, did Marks feel compelled to warn customers of the potential threat of identity theft?
"We did everything we we're supposed to do," Marks said.
Marks may well be right, but consumer advocates are alarmed by such attitudes.
"Companies who lose this kind of information owe it to their customers to take responsibility," said Christopher Goetcheus, spokesman for the Massachusetts Office of Consumer Affairs. "We want companies to treat their customers' trust as their most important asset."
On the lawbooks
To understand the problem with disclosure laws around the U.S., California's SB 1386 is a good place to start, because most other state laws were patterned after it.
Passed in September 2002, the California law allows a merchant to stay quiet about a digital data breach if the information lost was encrypted. This could apply even if the "key" to unlock the encryption was also stolen, analysts said. In addition, the state law is unclear on the issue of a merchant's responsibility, if the company's technology provider, such as a Web hosting company, suffered an intrusion.
The law also requires notification to any resident "whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." But it offers no criteria for determining "reasonable" belief. Merchants are left to decide for themselves what is reasonable, legal experts said.
While California's laws allow plenty of leeway to merchants, consumer advocates say New York's state disclosure laws are a model for consumer protection. Passed in August 2005, S03492 requires any data compromise that has exposed the personal information of New York residents to be disclosed.
I would like to inform all the read this the year is 2006.
1. 1 in 8 adults have had there identity stolen with that number steadily rising.
2. It takes a Congressman in Ohio to pass a law in Iowa against identity theft.
3. NewYork has the best consumer protection but might not very well be enough due to Federal Guidelines.
What "in the pickles" is wrong with all three of those statements above? I'll tell you what is wrong -- no consistency! Anywhere!
And we as a society are supposed to embrace a technology that would allow us to simply hit up a web site, order our favorite product or products, and see it in three days without ever leaving the house. Mmmmn convenience!
Now that's a grandiose notion due to politician's and big business who's sole purpose is to keep there clients in lieu of money. How are we supposed to feel safe in cyberspace let alone real space knowing that our data could be stolen from any one of those big business like Amazon or Ebay.
The only people that are being saved is the business' selling the product or service. They get to continue to keep there clients and there clients money while leaving there clients to fend off the thieves' aftermath.
FYI, server administrators are paid to ensure that servers are up to date and patched. After all, that is how data is stolen and servers hacked, un-patched programs that reside on a server. So why shouldn't business' be made RESPONSIBLE for not patching servers?
It is a known fact that exploits are taken and used against these very companies to get to your data using readily available tool from the net. Because these companies find it "expensive" in some sorts to maintain the patches they just leave the servers unsecured. In return making these companies easy targets for hackers.
"I guess it's ok to pay your Network Administrator $100,000 a year to replace keyboards. Personally I think his talent is useful in other places, but what would I know (www.Tech01.net)?"
Where are the people in all of this? After all, we are trying to protect the "People's" data. Here's a freebie for all you politician's, especially Bush.
How about a Federal Law making ANYBODY's server that holds ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT report ANY breaches in the respected databases.
Here's a little bone to add to that: If a server is breached it must also be reported to the FBI and logged. Then if deammed the responsibily of the business was at fault then a $75,000 fine be imposed on the company.
Gee, look at that, a commoner makes a one paragraph law that makes sense and works across the board to ensure "The People of the United States of America" are protected against such crimes as Identity Theft as well as Cyber Theft.
I would like to inform all the read this the year is 2006.
1. 1 in 8 adults have had there identity stolen with that number steadily rising.
2. It takes a Congressman in Ohio to pass a law in Iowa against identity theft.
3. NewYork has the best consumer protection but might not very well be enough due to Federal Guidelines.
What "in the pickles" is wrong with all three of those statements above? I'll tell you what is wrong -- no consistency! Anywhere!
And we as a society are supposed to embrace a technology that would allow us to simply hit up a web site, order our favorite product or products, and see it in three days without ever leaving the house. Mmmmn convenience!
Now that's a grandiose notion due to politician's and big business who's sole purpose is to keep there clients in lieu of money. How are we supposed to feel safe in cyberspace let alone real space knowing that our data could be stolen from any one of those big business like Amazon or Ebay.
The only people that are being saved is the business' selling the product or service. They get to continue to keep there clients and there clients money while leaving there clients to fend off the thieves' aftermath.
FYI, server administrators are paid to ensure that servers are up to date and patched. After all, that is how data is stolen and servers hacked, un-patched programs that reside on a server. So why shouldn't business' be made RESPONSIBLE for not patching servers?
It is a known fact that exploits are taken and used against these very companies to get to your data using readily available tool from the net. Because these companies find it "expensive" in some sorts to maintain the patches they just leave the servers unsecured. In return making these companies easy targets for hackers.
"I guess it's ok to pay your Network Administrator $100,000 a year to replace keyboards. Personally I think his talent is useful in other places, but what would I know (www.Tech01.net)?"
Where are the people in all of this? After all, we are trying to protect the "People's" data. Here's a freebie for all you politician's, especially Bush.
How about a Federal Law making ANYBODY's server that holds ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT report ANY breaches in the respected databases.
Here's a little bone to add to that: If a server is breached it must also be reported to the FBI and logged. Then if deammed the responsibily of the business was at fault then a $75,000 fine be imposed on the company.
Gee, look at that, a commoner makes a one paragraph law that makes sense and works across the board to ensure "The People of the United States of America" are protected against such crimes as Identity Theft as well as Cyber Theft.
There are probably 2 to 3 more time the breaches than we are ever told about. Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security. Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach. One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years. Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer! As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing. Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
There are probably 2 to 3 more time the breaches than we are ever told about. Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security. Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach. One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years. Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer! As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing. Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
Corporate slackers, pay peanuts for computer security, that's what you get, wholesale theft of data held in any corporate computer!
But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!
Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!
Some choices in real life, can be very costly for some!
Corporate slackers, pay peanuts for computer security, that's what you get, wholesale theft of data held in any corporate computer!
But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!
Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!
Some choices in real life, can be very costly for some!
Knowing that I was going to take out a line of credit on my house in a month, I ran a little test. I notified the 3 major credit agencies that my identity may have been stolen, then waited until they confirmed in writing that my credit files had been appropriately flagged. Then I applied for the $100,000 line of credit against my house, and got it, and none of them contacted me about it. Where's the protection?
Knowing that I was going to take out a line of credit on my house in a month, I ran a little test. I notified the 3 major credit agencies that my identity may have been stolen, then waited until they confirmed in writing that my credit files had been appropriately flagged. Then I applied for the $100,000 line of credit against my house, and got it, and none of them contacted me about it. Where's the protection?
Information is stolen all the time. Much of it hits the news.
But the problem as I see it here is that customer's PIN information is also stored online as well.
THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!
They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...
So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).
Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!
So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!
Information is stolen all the time. Much of it hits the news.
But the problem as I see it here is that customer's PIN information is also stored online as well.
THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!
They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...
So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).
Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!
So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
1. 1 in 8 adults have had there identity stolen with that number
steadily rising.
2. It takes a Congressman in Ohio to pass a law in Iowa against
identity theft.
3. NewYork has the best consumer protection but might not very
well be enough due to Federal Guidelines.
What "in the pickles" is wrong with all three of those statements
above? I'll tell you what is wrong -- no consistency! Anywhere!
And we as a society are supposed to embrace a technology that
would allow us to simply hit up a web site, order our favorite
product or products, and see it in three days without ever
leaving the house. Mmmmn convenience!
Now that's a grandiose notion due to politician's and big
business who's sole purpose is to keep there clients in lieu of
money. How are we supposed to feel safe in cyberspace let alone
real space knowing that our data could be stolen from any one
of those big business like Amazon or Ebay.
The only people that are being saved is the business' selling the
product or service. They get to continue to keep there clients
and there clients money while leaving there clients to fend off
the thieves' aftermath.
FYI, server administrators are paid to ensure that servers are up
to date and patched. After all, that is how data is stolen and
servers hacked, un-patched programs that reside on a server. So
why shouldn't business' be made RESPONSIBLE for not patching
servers?
It is a known fact that exploits are taken and used against these
very companies to get to your data using readily available tool
from the net. Because these companies find it "expensive" in
some sorts to maintain the patches they just leave the servers
unsecured. In return making these companies easy targets for
hackers.
"I guess it's ok to pay your Network Administrator $100,000 a
year to replace keyboards. Personally I think his talent is useful
in other places, but what would I know (www.Tech01.net)?"
Where are the people in all of this? After all, we are trying to
protect the "People's" data. Here's a freebie for all you
politician's, especially Bush.
How about a Federal Law making ANYBODY's server that holds
ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT
report ANY breaches in the respected databases.
Here's a little bone to add to that:
If a server is breached it must also be reported to the FBI and
logged. Then if deammed the responsibily of the business was
at fault then a $75,000 fine be imposed on the company.
Gee, look at that, a commoner makes a one paragraph law that
makes sense and works across the board to ensure "The People
of the United States of America" are protected against such
crimes as Identity Theft as well as Cyber Theft.
~Justin
www.Tech01.net
1. 1 in 8 adults have had there identity stolen with that number
steadily rising.
2. It takes a Congressman in Ohio to pass a law in Iowa against
identity theft.
3. NewYork has the best consumer protection but might not very
well be enough due to Federal Guidelines.
What "in the pickles" is wrong with all three of those statements
above? I'll tell you what is wrong -- no consistency! Anywhere!
And we as a society are supposed to embrace a technology that
would allow us to simply hit up a web site, order our favorite
product or products, and see it in three days without ever
leaving the house. Mmmmn convenience!
Now that's a grandiose notion due to politician's and big
business who's sole purpose is to keep there clients in lieu of
money. How are we supposed to feel safe in cyberspace let alone
real space knowing that our data could be stolen from any one
of those big business like Amazon or Ebay.
The only people that are being saved is the business' selling the
product or service. They get to continue to keep there clients
and there clients money while leaving there clients to fend off
the thieves' aftermath.
FYI, server administrators are paid to ensure that servers are up
to date and patched. After all, that is how data is stolen and
servers hacked, un-patched programs that reside on a server. So
why shouldn't business' be made RESPONSIBLE for not patching
servers?
It is a known fact that exploits are taken and used against these
very companies to get to your data using readily available tool
from the net. Because these companies find it "expensive" in
some sorts to maintain the patches they just leave the servers
unsecured. In return making these companies easy targets for
hackers.
"I guess it's ok to pay your Network Administrator $100,000 a
year to replace keyboards. Personally I think his talent is useful
in other places, but what would I know (www.Tech01.net)?"
Where are the people in all of this? After all, we are trying to
protect the "People's" data. Here's a freebie for all you
politician's, especially Bush.
How about a Federal Law making ANYBODY's server that holds
ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT
report ANY breaches in the respected databases.
Here's a little bone to add to that:
If a server is breached it must also be reported to the FBI and
logged. Then if deammed the responsibily of the business was
at fault then a $75,000 fine be imposed on the company.
Gee, look at that, a commoner makes a one paragraph law that
makes sense and works across the board to ensure "The People
of the United States of America" are protected against such
crimes as Identity Theft as well as Cyber Theft.
~Justin
www.Tech01.net
Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security.
Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach.
One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years.
Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer!
As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing.
Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security.
Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach.
One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years.
Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer!
As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing.
Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!
Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!
Some choices in real life, can be very costly for some!
But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!
Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!
Some choices in real life, can be very costly for some!
Did you freeze or just put on a watch?
Did you freeze or just put on a watch?
But the problem as I see it here is that customer's PIN information is also stored online as well.
THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!
They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...
So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).
Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!
So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!
Walt
But the problem as I see it here is that customer's PIN information is also stored online as well.
THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!
They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...
So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).
Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!
So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!
Walt